Store certificates in a hardware security module

You can store the certificates for the FTPS and HTTPS protocols in the HSM key storage provider or security world of a Thales nShield hardware security module (HSM). You can use any Thales nShield HSM that supports the nCipherKM JAC/JCE Java API. You must obtain the API and install it on the SecureTransport system.

The following topics provide the how-to instructions for storing certificates in a hardware security module:

Related topics:

Install and configure the HSM

SecureTransport maintains a keystore that stores references to the certificates stored in the HSM. Before you configure the HSM, decide on a location for the SecureTransport keystore file, for example, <FILEDRIVEHOME>/lib/certs/hsm.keystore.

  1. Install the nShield hardware.
  2. Install the nShield software, including the JCA/JCE cryptography service provider (CSP) on the system where the FTP Server and the HTTP Server run. Note the following values:
    • <NFAST_HOME>, the path name of the installation directory of the nFast client, /opt/nfast by default
    • The keystore passphrase
  3. Make sure that nonpriv_port is set to 9000 and priv_port is set to 9001 in the hard server configuration file, <NFAST_HOME>/kmdata/config/config.
  4. Copy the nCipherKM.jar file from <NFAST_HOME>/java/classes to <FILEDRIVEHOME>/jre/lib/ext.
  5. Run <FILEDRIVEHOME>/jre/bin/java com.ncipher.provider.InstallationTest.
  6. The output include a list of installed providers. Ignore the statement that the nCipher provides is not correctly installed. The provider is installed at run time.

Generate and sign an HSM certificate

This procedure uses the following placeholders:

  • <alias> – the SSL key alias for FTPS or HTTPS, for example ftpd or httpd
  • <cert_file> is the file name of the PEM-format certificate file, for example, ftpd.pem or httpd.pem
  • <CSR_file> – the file name of the CSR request file, for example, ftpd.req or httpd.req
  • <FILEDRIVEHOME>SecureTransport installation directory, for example, /opt/TMWD/SecureTransport
  • <key_size> – the key size, for example, 1024, 2048, 3072, or 4096
  • <keystore_passphrase> – the passphrase for the HSM keystore
  • <keystore_path> – the path to the SecureTransport HSM keystore
  • <validity> – the validity of the certificate in days
  1. Make the SecureTransport installation directory the current working directory using the following command.

  3. Generate a key using the following command.
  4. jre/bin/keytool -genkey -keyalg RSA -keysize <key_size> \
        -keystore <keystore_path> -storetype nCipher.sworld \
        -providername nCipherKM \
        -providerclass \
        -alias <alias> -storepass <keystore_passphrase>

  5. Generate a certificate signing request (CSR) using the following command.
  6. jre/bin/keytool -certreq -keystore <keystore_path> \
        -storetype nCipher.sworld -providername nCipherKM \
        -providerclass \
        -alias <alias> -file <CSR_file> -storepass <keystore_passphrase>

  7. Sign certificate and create the PEM-format certificate file using the following command.
  8. bin/openssl x509 -req -in <CSR_file> -days <validity> \
        -CA lib/certs/db/ca-crt.pem -CAkey lib/certs/db/ca-key.pem \
        -CAserial lib/certs/db/serial -out <cert_file>

  9. Append the public part of the internal CA to the certificate file using the following command. This is required so that SecureTransport can build the certificate chain.
  10. cat lib/certs/db/ca-crt.pem >> <cert_file>

  11. Import the signed certificate into the HSM device using the following command.
  12. jre/bin/keytool -importcert -keystore <keystore_path> \
        -storetype nCipher.sworld -providername nCipherKM \
        -storepass <keystore_passphrase> -alias <alias> -file <cert_file>

Use an HSM certificate for FTPS or HTTPS

  1. Specify the HSM for SecureTransport by setting the following server configuration parameters:
    • Set Hsm.keystorePath to the location of the SecureTransport HSM keystore relative to <FILEDRIVEHOME>.
    • (Optional) Set Hsm.keystorePassword to the keystore passphrase.
    • If you do not store the passphrase as a server configuration parameter, you must enter it each time you start a protocol server that uses an HSM certificate. If you do not type the passphrase in the time allotted, the protocol server does not start.
  2. Enable HSM for the protocol servers by setting the following server configuration parameters:
    • Set Ftp.Hsm.enabled to true to enable HSM for the FTP Server
    • Set Http.Hsm.enabled to true to enable HSM for the HTTP Server
  3. Create a local certificate with the same alias as the HSM certificate you created, for example, ftpd or httpd. See Generate a self-issued server certificate. SecureTransport does not use this certificate, but you must have a certificate with the correct alias to reference the HSM certificate.
  4. Set the SSL key aliases for the protocol servers. See Manage the FTP server and Manage the HTTP server.
  5. Restart the protocol servers. See Start and stop servers.

Related Links